In a fireside chat with SINET CEO Robert Rodriguez, Kjetil Nilsen, Director General, Norwegian National Security Authority, described what he characterized as the "value chain" every developed society lives with today. Even a very simple transaction—he took buying groceries as his example—now involves a very large number of participants. Norwegian society is close to cashless today. "There are no other options," he said. "You can't roll this back." If we've reached a level of digitalization from which we can't retreat, what does that say about the future of security?
The threat landscape and how to negotiate it.
Kim Dozier of the CipherBrief moderated a panel of government and industry security experts who described where they thought we were and where they believed we should go. The panelists included Tom Patterson (Unisys), John Rogers (BNP Paribas), and Christopher Wlaschin (CISO, US Department of Health and Human Services).
To the question about what they see looming darkly in the near-to-mid future, the panelist thought that data corruption would become increasingly worrisome. Wlacshin in fact said that the healthcare sector had already seen minor indications of data integrity issues forming.
Speaking from the perspective of the financial services sector, Rogers worried that an attack like WannaCry or NotPetya could wipe out institutions, and, specifically addressing data corruption, saw the possibility of hackers influencing markets.
Patterson warned that coordinated attacks across sectors were "the nightmare scenario."
Cooperating for resilience.
Patterson offered a clear perspective on security. "Security is an impossible goal in an open society. Resiliency is not—that's achievable, but you've got to change mindsets to get there." Resilience should be the goal, the ability to work through and recover from a cyber attack. Different sectors, the panel thought, exhibited different degrees of resilience, and there are lessons they could learn from one another.
Rogers described Sheltered Harbor as an excellent example of a resilience measure we find in the financial sector, which provides cooperative ways for financial service customers to be made whole in the event of a devastating attack on the institutions they do business with. This is a relatively recent construct, only some two years old, a voluntary organization that the panel agreed had potential as a model to be extended to other sectors.
Building and achieving a world-class incident response capability.
Since resilience depends significantly on incident response capability, what goes into developing that capability in any organization? One of the first day's workshops took up this question. Michael Papay (Northrop Grumman Chief Information Security Officer) moderated a panel whose members included Devon Bryan (Executive Vice President and Chief Information Security Officer, the US Federal Reserve System), Mary N. Chaney (Vice President, International Consortium of Minority Cybersecurity Professionals), Dario Forte (Chief Executive Officer, DF Labs), and Matt Olsen (Co-Founder, IronNet Cybersecurity).
The panel expressed immediate consensus on the imperative of automation, if for no other reason than the well-known danger of Security Operations Center (SOC) personnel burn-out. Automation should be integrated for correlation, they agreed, which in turn leads to orchestration.
Olsen observed that the ability to take an alert generated by a machine, and then place it into context, is vital, but the human ability to do so requires a rare set of skills. Organizations remain rightly reluctant to turn incident response over to automated systems. But they are willing, Forte thought, to automate triage. Bryan agreed: billions of events need to be reduced to a few hundred incidents, which can then be triaged and addressed with appropriate urgency.
Papay asked whether the panel thought there was a useful temporal metric that might be applied in assessing resilience. "Resilience means being able to mount a rapid response to an attack. How fast do you have to be? Milliseconds, seconds, minutes, hours, days?" Resilience, Bryan thought, isn't really measured in mean time to respond. What we want from resilience is to be able to work through an incident. And escalation procedures, Chaney argued, are important because executive expectations are often poorly matched to the actual gravity of an incident.
Chaney thought that if you can identify those things that need a millisecond response—and not everything does—you can build a technology to do that. "We try to boil the ocean," and that's a mistake. This is where sound risk management practices show their value. "If it's not affecting business, just clean it up and move on."
Bryan doubted that there was a bright line between automation and orchestration. He also noted that it can be difficult to distinguish orchestration from simple organizational maturity.
To this point Chaney observed the importance of process. "Hunting involves marksmen, looking for people who are attacking your company."
Bryan, near the end of the discussion, quoted a mentor of his on automation: "A fool with a tool is still a fool." World-class teams are anchored in people, process, and technology. Know what normal looks like for the enterprise, because you can't protect what you don't know about.